#应用层内存查看

Medusa/KernelMemory.cc

@@ -32,6 +32,16 @@ KernelMemory::KernelMemory(QWidget* parent)
 	connect(ui.textEdit->verticalScrollBar(), &QScrollBar::valueChanged, this,&KernelMemory::TexeBar);
 	connect(ui.textEdit_2->verticalScrollBar(), &QScrollBar::valueChanged, this, &KernelMemory::TexeBar);
 	connect(ui.textEdit_3->verticalScrollBar(), &QScrollBar::valueChanged, this, &KernelMemory::TexeBar);
+
+	connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));//½ø³Ì
+}
+
+void KernelMemory::ChangeTab()
+{
+	if (ui.lineEdit->text() != "" && ui.lineEdit_2->text() != "")
+	{
+		QueryMemory();
+	}
 }
 
 void KernelMemory::TexeBar(int value)

Medusa/KernelMemory.h

@@ -38,6 +38,7 @@ public slots:
 	void DumpASM();
 	void QueryMemory();
 	void TexeBar(int value);
+	void ChangeTab();
 public:
 	Ui::Form_KernelMemory ui;
 	QStandardItemModel* _Model;

Medusa/Medusa.cpp

@@ -45,6 +45,12 @@ Medusa::Medusa(QWidget *parent)
 		_Driver_Loaded = true;
 	}
 	CloseHandle(m_hDevice);
+	_UserMemoryList.SetUserMemory(&_UserMemory);
+	_QTimer = new QTimer(this);
+	QObject::connect(_QTimer, &QTimer::timeout, [&](){
+			ChangeTab();
+		});
+	_QTimer->start(10000);
 	ChangeTab();
 }
 
@@ -54,6 +60,7 @@ void Medusa::Set_SLOTS()
 	connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));//序殻
 	connect(ui.tabWidget, SIGNAL(tabBarClicked(int)), SLOT(ChangeTab()));//序殻
 
+
 	connect(&_TableView_Menu_Inject, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
 	connect(&_TableView_Menu_HookCheck, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
 	connect(&_TableView_Menu_Modules, SIGNAL(triggered(QAction*)), SLOT(ProcessRightMenu(QAction*)));//序殻報炎嘔囚暇汽
@@ -498,8 +505,20 @@ void Medusa::ProcessRightMenu(QAction* action)
 	else if (action->text() == "ViewMemory")
 	{
 		_UserMemory.PID = PID;
+		_UserMemory.ui.label->setText("Process:"+
+			ui.tableView->model()->index(ui.tableView->currentIndex().row(), 2).data().toString() +"    CR3:0x0" );
 		_UserMemory.show();
 	}
+	else if (action->text() == "MemoryListR3")
+	{
+		_UserMemoryList.ShowUserMemoryListR3(PID, false);
+		_UserMemoryList.show();
+	}
+	else if (action->text() == "MemoryListR3(second check)")
+	{
+	_UserMemoryList.ShowUserMemoryListR3(PID, true);
+	_UserMemoryList.show();
+	}
 }
 
 void Medusa::HideProcess(bool)

Medusa/Medusa.h

@@ -5,6 +5,7 @@
 #include <QFileDialog>
 #include <QMessageBox>
 #include <QTextCodec>
+#include <QTimer>
 
 #include <fstream>
 #include <sstream>
@@ -24,6 +25,7 @@
 #include "IOCTLScanner.h"
 #include "KernelMemory.h"
 #include "UserMemory.h"
+#include "UserMemoryList.h"
 
 
 #include "Process.h"
@@ -83,7 +85,9 @@ public slots:
 	IOCTLScanner _IOCTLScanner;
 	KernelMemory _KernelMemory;
 	UserMemory _UserMemory;
+	UserMemoryList _UserMemoryList;
 private:
+	QTimer *_QTimer;
     QStandardItemModel* _Model;
 	QStandardItemModel* _Model_Driver;
 	QStandardItemModel* _Model_UnloadDriver;
@@ -265,8 +269,10 @@ public slots:
 
 		_TableView_Action_Memory.setMenu(&_TableView_Menu_Memory);
 		_TableView_Menu_Memory.setTitle("Memory");
+		_TableView_Menu_Memory.addAction("MemoryListR3");
+		_TableView_Menu_Memory.addAction("MemoryListR3(second check)");
+		_TableView_Menu_Memory.addAction("MemoryListR0");
 		_TableView_Menu_Memory.addAction("ViewMemory");
-		_TableView_Menu_Memory.addAction("MemoryList");
 
 		ui.tableView->addAction(&_TableView_Action_Inject);
 		ui.tableView->addAction(&_TableView_Action_HookCheck);

Medusa/Medusa.vcxproj

@@ -162,6 +162,7 @@
     <ClCompile Include="SymParser.cpp" />
     <ClCompile Include="Threads.cc" />
     <ClCompile Include="UserMemory.cc" />
+    <ClCompile Include="UserMemoryList.cc" />
     <QtRcc Include="Medusa.qrc" />
     <QtUic Include="HookScanner.ui" />
     <QtMoc Include="Medusa.h" />
@@ -170,6 +171,7 @@
     <QtUic Include="IOCTLScanner.ui" />
     <QtUic Include="Medusa.ui" />
     <QtUic Include="KernelMemory.ui" />
+    <QtUic Include="UserMemoryList.ui" />
     <QtUic Include="Modules.ui" />
     <QtUic Include="PDBView.ui" />
     <QtUic Include="StackWalk.ui" />
@@ -183,6 +185,7 @@
     <ClInclude Include="EzPdb\EzPdb.h" />
     <ClInclude Include="FileCheck.h" />
     <ClInclude Include="SymParser.h" />
+    <QtMoc Include="UserMemoryList.h" />
     <QtMoc Include="UserMemory.h" />
     <QtMoc Include="StackWalk.h" />
     <QtMoc Include="Threads.h" />

Medusa/Medusa.vcxproj.filters

@@ -190,6 +190,9 @@
     <ClCompile Include="UserMemory.cc">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="UserMemoryList.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Process.h">
@@ -274,6 +277,9 @@
     <QtUic Include="UserMemory.ui">
       <Filter>Form Files</Filter>
     </QtUic>
+    <QtUic Include="UserMemoryList.ui">
+      <Filter>Form Files</Filter>
+    </QtUic>
   </ItemGroup>
   <ItemGroup>
     <QtMoc Include="HookScanner.h">
@@ -300,6 +306,9 @@
     <QtMoc Include="UserMemory.h">
       <Filter>Header Files</Filter>
     </QtMoc>
+    <QtMoc Include="UserMemoryList.h">
+      <Filter>Header Files</Filter>
+    </QtMoc>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="asm64.asm">

Medusa/UserMemory.cc

@@ -32,6 +32,17 @@ UserMemory::UserMemory(QWidget* parent)
 	connect(ui.textEdit->verticalScrollBar(), &QScrollBar::valueChanged, this, &UserMemory::TexeBar);
 	connect(ui.textEdit_2->verticalScrollBar(), &QScrollBar::valueChanged, this, &UserMemory::TexeBar);
 	connect(ui.textEdit_3->verticalScrollBar(), &QScrollBar::valueChanged, this, &UserMemory::TexeBar);
+
+	connect(ui.tabWidget, SIGNAL(currentChanged(int)), SLOT(ChangeTab()));//½ø³Ì
+	//connect(ui.tabWidget, SIGNAL(tabBarClicked(int)), SLOT(ChangeTab()));//½ø³Ì
+}
+
+void UserMemory::ChangeTab()
+{
+	if (ui.lineEdit->text() != "" && ui.lineEdit_2->text() != "")
+	{
+		QueryMemory();
+	}
 }
 
 void UserMemory::TexeBar(int value)
@@ -72,7 +83,15 @@ void UserMemory::DumpMemory()
 	{
 		char* temp_buffer = new char[Size];
 		RtlZeroMemory(temp_buffer, Size);
-		ULONG64 ret = ReadUserMemory(Addr, Size, temp_buffer);
+		ULONG64 ret = 0;
+		if (ui.radioButton_6->isChecked())
+		{
+			ret = ReadUserMemoryR3(Addr, Size, temp_buffer);
+		}
+		else
+		{
+			ret = ReadUserMemoryR0(Addr, Size, temp_buffer);
+		}
 		if (ret)
 		{
 			std::fstream temp_file(addr_str, std::ios::out | std::ios::binary);
@@ -81,9 +100,11 @@ void UserMemory::DumpMemory()
 				temp_file << std::string(temp_buffer, ret);
 				temp_file.close();
 				QMessageBox::information(this, "Ret", "susscss");
+				delete temp_buffer;
 				return;
 			}
 		}
+		delete temp_buffer;
 	}
 	QMessageBox::information(this, "Ret", "error");
 }
@@ -107,7 +128,15 @@ void UserMemory::DumpASM()
 	{
 		char* temp_buffer = new char[Size];
 		RtlZeroMemory(temp_buffer, Size);
-		ULONG64 ret = ReadUserMemory(Addr, Size, temp_buffer);
+		ULONG64 ret = 0;
+		if (ui.radioButton_6->isChecked())
+		{
+			ret = ReadUserMemoryR3(Addr, Size, temp_buffer);
+		}
+		else
+		{
+			ret = ReadUserMemoryR0(Addr, Size, temp_buffer);
+		}
 		if (ret)
 		{
 			std::fstream temp_file(addr_str + ".txt", std::ios::out | std::ios::binary);
@@ -154,9 +183,11 @@ void UserMemory::DumpASM()
 				}
 				temp_file.close();
 				QMessageBox::information(this, "Ret", "susscss");
+				delete temp_buffer;
 				return;
 			}
 		}
+		delete temp_buffer;
 	}
 	QMessageBox::information(this, "Ret", "error");
 }
@@ -281,11 +312,22 @@ void UserMemory::QueryMemory()
 		RtlZeroMemory(temp_buffer, Size);
 		if (ui.radioButton_6->isChecked())
 		{
-
+			ULONG64 ret = ReadUserMemoryR3(Addr, Size, temp_buffer);
+			if (ret)
+			{
+				if (ui.tabWidget->currentIndex() == 0)
+				{
+					QueryMemoryTable2(temp_buffer, ret, Addr, Size);
+				}
+				if (ui.tabWidget->currentIndex() == 1)
+				{
+					QueryMemoryTable1(temp_buffer, ret, Addr);
+				}
+			}
 		}
 		else
 		{
-			ULONG64 ret = ReadUserMemory(Addr, Size, temp_buffer);
+			ULONG64 ret = ReadUserMemoryR0(Addr, Size, temp_buffer);
 			if (ret)
 			{
 				if (ui.tabWidget->currentIndex() == 0)
@@ -297,13 +339,25 @@ void UserMemory::QueryMemory()
 					QueryMemoryTable1(temp_buffer, ret, Addr);
 				}
 			}
-			delete temp_buffer;
 		}
+		delete temp_buffer;
+	}
+}
+
+ULONG64 UserMemory::ReadUserMemoryR3(ULONG64 Addr, ULONG64 Size, void* Buffer)
+{
+	HANDLE handle = OpenProcess(PROCESS_VM_READ, false, PID);
+	if (!handle)
+	{
+		return 0;
 	}
+	SIZE_T lpNumberOfBytesRead = 0;
+	ReadProcessMemory(handle, (void*)Addr, Buffer, Size, &lpNumberOfBytesRead);
+	return lpNumberOfBytesRead;
 }
 
 #define TEST_ReadUserMemory CTL_CODE(FILE_DEVICE_UNKNOWN,0x7117,METHOD_BUFFERED ,FILE_ANY_ACCESS)
-ULONG64 UserMemory::ReadUserMemory(ULONG64 Addr, ULONG64 Size, void* Buffer)
+ULONG64 UserMemory::ReadUserMemoryR0(ULONG64 Addr, ULONG64 Size, void* Buffer)
 {
 	HANDLE m_hDevice = CreateFileA("\\\\.\\IO_Control", GENERIC_READ | GENERIC_WRITE, 0,
 		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

Medusa/UserMemory.h

@@ -28,7 +28,8 @@ class UserMemory : public QMainWindow
 	UserMemory(QWidget* parent = nullptr);
 	~UserMemory() = default;
 public:
-	ULONG64 ReadUserMemory(ULONG64 Addr, ULONG64 Size, void* Buffer);
+	ULONG64 ReadUserMemoryR3(ULONG64 Addr, ULONG64 Size, void* Buffer);
+	ULONG64 ReadUserMemoryR0(ULONG64 Addr, ULONG64 Size, void* Buffer);
 	ULONG64 GetKernelCR3();
 public:
 	void QueryMemoryTable1(char* temp_buffer, ULONG64 ret, ULONG64 Addr);
@@ -38,6 +39,7 @@ public slots:
 	void DumpASM();
 	void QueryMemory();
 	void TexeBar(int value);
+	void ChangeTab();
 public:
 	Ui::Form_UserMemory ui;
 	QStandardItemModel* _Model;

Medusa/UserMemory.ui

@@ -205,7 +205,7 @@
   </widget>
   <widget class="QLabel" name="label">
    <property name="enabled">
-    <bool>false</bool>
+    <bool>true</bool>
    </property>
    <property name="geometry">
     <rect>
@@ -216,7 +216,7 @@
     </rect>
    </property>
    <property name="text">
-    <string>Process:Medusa    CR3:</string>
+    <string>Process:Medusa    CR3:0x0</string>
    </property>
   </widget>
   <widget class="QRadioButton" name="radioButton_3">